Skip to content

Support for whitelisting extensions/mimetype#643

Merged
MarcelGeo merged 3 commits into
developfrom
whitelisting_extensions_mimetypes
Jul 3, 2026
Merged

Support for whitelisting extensions/mimetype#643
MarcelGeo merged 3 commits into
developfrom
whitelisting_extensions_mimetypes

Conversation

@harminius

@harminius harminius commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Resolves #573

Since #370, the server rejects "dangerous" file types (e.g. .py, .sh) on upload - but self-hosted deployments that legitimately distribute scripts alongside QGIS projects had no way to opt out.

This adds an optional, comma-separated config var to bypass file security checks:

UPLOAD_EXTENSIONS_WHITELIST - extra file extensions to permit, e.g. .py, .sh

image

@harminius harminius requested review from MarcelGeo and varmar05 June 22, 2026 13:40
@coveralls

coveralls commented Jun 22, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28594330861

Coverage increased (+0.01%) to 92.17%

Details

  • Coverage increased (+0.01%) from the base build.
  • Patch coverage: 18 of 18 lines across 3 files are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 10038
Covered Lines: 9252
Line Coverage: 92.17%
Coverage Strength: 0.92 hits per line

💛 - Coveralls

Comment thread deployment/community/.env.template Outdated

#BLACKLIST='.mergin/, .DS_Store, .directory' # cast=Csv()

# extra file types to permit beyond the default block-list (e.g. scripts)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think give there just empty value without cast.

Comment thread server/mergin/sync/utils.py Outdated
if check_skip_validation(filepath):
return True
ext = os.path.splitext(filepath)[1].lower()
if ext in {e.lower() for e in Configuration.UPLOAD_EXTENSIONS_WHITELIST}:

@MarcelGeo MarcelGeo Jun 25, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can use check_skip_validation function for that job to unify with files or?

… mimetype check -> mime_type config var is not needed
@harminius harminius requested a review from MarcelGeo July 2, 2026 13:37
@MarcelGeo MarcelGeo merged commit 4ddde36 into develop Jul 3, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants